b"                          Review of New York State Higher\n                          Education Services Corporation\xe2\x80\x99s\n                                Year 2000 Readiness\n\n\n\n\n               MANAGEMENT INFORMATION REPORT\n\n\n\n\n                              Control Number ED-OIG/A05-90044\n                                        October 1999\n\n\n\n\nOur mission is to promote the efficient            U.S. Department of Education\nand effective use of taxpayer dollars              Office of Inspector General\nin support of American education                   Chicago, Illinois\n\x0c                              NOTICE\n\nStatements that management practices need improvement, as well as other\n conclusions and recommendations in this report, represent the opinions of\n the Office of Inspector General. Determination of corrective action to be\n taken will be made by appropriate Department of Education officials. In\n accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7522), reports\n  issued by the Office of Inspector General are available, if requested, to\nmembers of the press and general public to the extent information contained\n                therein is not subject to exemptions in the Act.\n\x0c                             UNITED STATES DEPARTMENT OF EDUCATION\n\n                                                 OFFICE OF INSPECTOR GENERAL\n\n                                                                                                                   THE INSPECTOR\n\n\n\n\nMEMORANDUM\n\n\n TO:           Greg Woods\n               Chief Operating Officer\n\n\n\n\n FROM:         Lorraine Lewis,\n\nSUBJECT: Review of New York State Higher Education Services Corporation's Year 2000\n\n\n\nAttached is our Management Information Report that informs you of the results of our review of\nNew York State Higher Education Services Corporation's (Corporation) Year 2000 readiness.\nManagement Information Reports are intended to provide information for decision makers and are\nnot audit or investigative reports. Our objectives were to ensure that the Corporation: (1) has\ndeveloped adequate management plans to achieve Year 2000 compliance for its own computer\nsystems and for those of its information or data interface partners, and (2) is monitoring\n\n\n\nOur review indicates that the Corporation is making satisfactory progress in its Year 2000 efforts.\nWe believe the Corporation's efforts are satisfactory because it exhibits acceptable performance in\nall key phases of the Year 2000 project management process with the following minor exceptions.\nThe Corporation needs to ensure that it: (1) addresses a potential problem associated with its use\nof the year '10' for windowing in the Debt Management Collection System, (2) completes\nindependent verification and validation testing, and (3) addresses backup computing capability in its\ncontingency plan. These exceptions are not yet significant, but the Guarantor and Lender Oversight\n\n\n\n\n                                         400 MARYLAND AVE., S.W. WASHINGTON, D.C.\n            Our mission is to ensure equal access to education and to promote educational excellence throughout the Nation.\n\x0cIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7552), reports issued by the Office of\nInspector General are available, if requested, to members of the press and general public to the extent\ninformation contained therein is not subject to exemptions in the Act. Copies of this report have been\n\n\n If you have any questions concerning this report, please call Richard J. Dowd, Regional\n\n\n\n Attachme\n\x0cTable of Contents\nReview of New York State Higher Education Services Corporation's\nYear 2000 Readiness\nControl Number ED-OIG/A05-90044\n\n\nExecutive Summary                                                  1\n\n\nOn-Site Review Observations                                        3\n\nEvaluation of Testing                                              7\n\nEvaluation of Contingency Planning                                 8\n\nRisk Analysis                                                      9\n\nConclusion and Recommendation                                      11\n\nAppendix\n\n     Background                                                    1\n\n     Objectives, Scope, and Methodology                            1\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n\n\n                             Executive Summary\nCorporation                  Our evaluation indicated that the New York State Higher Education\nMaking                       Services Corporation (Corporation) is making satisfactory progress in\nSatisfactory                 its Year 2000 readiness efforts. The Corporation exhibits acceptable\nProgress With                performance in all key phases of the Year 2000 project management\n                             process. However, the U.S. Department of Education (ED) Guarantor\nMinor Exceptions\n                             and Lender Oversight Service (GLOS) should monitor the Corporation\n                             to ensure that it: (1) addresses a potential problem associated with its\n                             use of the year '10' for windowing in the Debt Management Collection\n                             System (DMCS), (2) completes independent verification and validation\n                             testing, and (3) addresses backup computing capability in its\n                             contingency plan.\n\nDMCS Potential               The Corporation determined that its current DMCS is Year 2000\nWindowing                    compliant. However, the Corporation\xe2\x80\x99s renovation of the DMCS used\nProblem                      '10' for windowing, which could cause minor errors in early 2000 if it\n                             projects a date 10 years into the future. The Corporation has\n                             contracted for a new DMCS system that it will implement in January or\n                             February 2000. Corporation officials agreed to look into the\n                             windowing issue because it is a potential problem if the new system\n                             encounters serious delays. We informed the Corporation officials that if\n                             the new system is not ready, they should determine a \xe2\x80\x9cfailure date,\xe2\x80\x9d\n                             which is a date when the windowing will no longer function as intended.\n\nNo Independent               In addition, the Corporation has not completed independent verification\nVerification and             and validation testing. The Corporation has sent out a Request for\nValidation Testing           Proposal and received 23 responses. A Corporation official indicated\n                             that it was evaluating the responses and that the independent verification\n                             and validation testing is planned. The lack of independent testing is\n                             mitigated because the Corporation had independent contractors\n                             perform modifications to the Guaranteed Loan System and DMCS\n                             while the Corporation assigned the Data Processing staff to oversee\n                             and monitor the project. In addition, the Corporation staff performed\n                             user acceptance testing.\n\nContingency Plan             While the Corporation has completed most of the contingency plan, it\nLacks Backup                 has not established a plan for a backup computer to run its applications\nComputer                     should the current mainframe fail. A Corporation official informed us\n                             that the State of New York has control over the system and is in the\n                             process of consolidating its data centers. Until the State makes\n\n\n                                             Page 1\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n                             decisions regarding the consolidation, the Corporation cannot move\n                             forward and finalize its contingency plans.\n\nED's                         ED has a responsibility to ensure that all of its computer systems and\nResponsibility               the interfaces between them and the systems of its trading partners are\n                             ready to handle data that includes dates both before and after January\n                             1, 2000. ED has issued various publications to reinforce the\n                             seriousness of Year 2000 compliance and the critical milestone dates\n                             for each of the five phases set forth by the Office of Management and\n                             Budget and the General Accounting Office. The designated phases for\n                             a Year 2000 readiness plan are awareness, assessment, renovation,\n                             validation, and implementation (with ongoing contingency planning\n                             throughout the entire project).\n\nScope of Review              We conducted on-site field work at the Corporation in Albany, New\n                             York from June 15 - 22, 1999. On August 10, 1999, we updated\n                             certain information. We examined the Corporation\xe2\x80\x99s supporting\n                             documentation and interviewed personnel to determine progress on the\n                             five phases of the Year 2000 project. Our evaluation disclosed that the\n                             Corporation has completed all phases of its Year 2000 readiness\n                             efforts with the exception of the issues discussed above. This\n                             Management Information Report is intended to provide information for\n                             decision makers and is not an audit or investigative report.\n\n\n\n\n                                             Page 2\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n\n                        On-Site Review Observations\nManagement                  The Corporation was founded in 1975 to work with the higher\nApproach                    education and financial services communities to expand educational\n                            opportunities for students. It is the largest state guarantor in the Federal\n                            Family Education Loan (FFEL) Program, making over $1.6 billion in\n                            higher education funding available to students each year. To become\n                            Year 2000 ready, the Corporation used guidelines from three sources to\n                            prepare a comprehensive overall planning document. These three\n                            sources were: (1) ED, (2) the New York State Banking Department,\n                            and (3) the State of New York\xe2\x80\x99s Office for Technology. The\n                            Corporation outsourced about 80 percent of its Year 2000 efforts to\n                            several contractors.\n\nYear 2000 is a              On July 2, 1997, Governor George Pataki directed that New York\nPriority for New York       State\xe2\x80\x99s number one technology priority was Year 2000 compliance. In\n                            New York State, the Office for Technology is charged with the\n                            responsibility of coordinating a statewide policy addressing Year 2000\n                            issues. Within this framework, the Office for Technology established the\n                            \xe2\x80\x9cTop 40\xe2\x80\x9d priority systems. While the Corporation did not have any of\n                            its systems in the \xe2\x80\x9cTop 40,\xe2\x80\x9d it did have three systems listed as \xe2\x80\x9cHigh\n                            Priority.\xe2\x80\x9d These systems are the Guaranteed Loan System (Loan\n                            System), Debt Management Collection System (DMCS), and Grants\n                            and Scholarships System (G&S). The systems are run on a Year 2000\n                            compliant IBM mainframe.\n\nManagement                  The Corporation uses the Loan System to approve and monitor\nInformation Systems         guaranteed loans. GuaranTec, Inc. owns the DMCS, the backbone of\n                            the Corporation\xe2\x80\x99s collection efforts, which is used to track and service\n                            defaulted student loans. GuaranTec maintains the DMCS and enhances\n                            it through the use of task orders. The Corporation uses the G&S to\n                            administer New York State\xe2\x80\x99s Tuition Assistance Program and various\n                            other State scholarships. It renovated and moved the three systems\n                            (Loan, DMCS, and G&S) into production on March 29, 1999, March\n                            22, 1999, and May 3, 1999, respectively. The Corporation also has\n                            Program Access to HESC (PATH), a non-critical system, which is a PC\n                            software product developed by the Corporation to assist schools and\n                            lenders with processing of proprietary and Common Line record\n                            layouts. Changes to the PATH were implemented on March 29, 1999,\n                            in coordination with the Loan and G&S systems. For purposes of this\n                            review, we focused primarily on the Loan System and DMCS because\n\n\n\n                                              Page 3\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n                            they are critical systems related to Federal programs. We performed\n                            minimal review work on the PATH and G&S systems.\n\nSystem Prioritization       The Office for Technology determined that the Corporation\xe2\x80\x99s three\n                            systems (Loan, DMCS, and G&S) were not in the State\xe2\x80\x99s \xe2\x80\x9cTop 40\xe2\x80\x9d for\n                            priority but rather were \xe2\x80\x9cHigh Priority\xe2\x80\x9d mission critical systems. The\n                            Office for Technology required each agency with a priority system to\n                            analyze the impact of Year 2000 on these systems and prepare plans for\n                            bringing them into compliance. Staffing resources, costs, and schedules\n                            had to be identified, monitored, and reported to the Office for\n                            Technology quarterly.\n\n                            The Corporation prepared an overall Year 2000 strategy that gained\n                            executive level support and sponsorship as part of its awareness\n                            campaign. A Management Information Systems Steering Committee\n                            was formed and the Corporation reports its Year 2000 status to the\n                            Board of Trustees. The Corporation sends quarterly reports to the\n                            Office for Technology, which has overall responsibility for the State\xe2\x80\x99s\n                            Year 2000 effort and serves as the focal point for the compliance work.\n                            The State demonstrated its commitment to ensure that agencies had\n                            sufficient funds available to get their systems compliant.\n\n                            The Office for Technology requested that each agency prepare a Year\n                            2000 Risk Assessment to evaluate each agency\xe2\x80\x99s potential for becoming\n                            Year 2000 compliant. It identified the agency\xe2\x80\x99s most critical business\n                            areas and related liabilities if these areas are not brought into\n                            compliance. The criteria for prioritizing the business areas were an\n                            agency's decision based on issues such as client welfare and receipt of\n                            Federal money. The Assessment also served to scope the Year 2000\n                            problem on a statewide basis in terms of breadth and complexity for\n                            senior management.\n\n                            The Corporation performed a risk assessment that identified core\n                            business areas. It inventoried and analyzed the core processes and\n                            prioritized them. The risk assessment provided a schedule of phases by\n                            identifying due dates for process compliance. The risk assessment also\n                            noted which processes have an effect on the FFEL Program, other\n                            agency systems, data exchange partners, and if they are mission critical.\n                            Our review of the risk assessment disclosed that it is reasonable and\n                            complete.\n\n\n\n\n                                             Page 4\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\nTechnical                   Each of the Corporation\xe2\x80\x99s three high priority systems represented unique\nApproach                    considerations with respect to Year 2000 compliance. Therefore, the\n                            Corporation tailored its approach to achieving full compliance to meet\n                            the requirements of the diverse environments. The Corporation\n                            contracted out most of its Year 2000 compliance efforts to several\n                            contractors. From a systems standpoint, we segregated the\n                            Corporation\xe2\x80\x99s Year 2000 compliance project into the following six\n                            areas: (1) Loan System, (2) DMCS, (3) PATH, (4) G&S, (5) personal\n                            computers, and (6) embedded chips. We also considered data\n                            exchange, which is a crosscutting issue. We performed only a limited\n                            review of the PATH because it is a non-critical system. We also\n                            performed only a limited review of the G&S because it is not related to\n                            Federal programs.\n\nThe Loan System             The Corporation contracted with ObjectWare to bring its Loan System\n                            into full Year 2000 compliance. The Loan System was migrated to an\n                            IBM mainframe, which is Year 2000 compliant. The Corporation\n                            completed the migration on February 18, 1998. As part of migrating the\n                            Active Loans database, the Corporation expanded year fields to four\n                            digits. The Year 2000 changes were largely for internal processing\n                            dates.\n\n                            The Corporation required ObjectWare to perform the following\n                            functions to bring the Loan System into full compliance:\n\n                            \xe2\x80\xa2      Identify all date fields.\n                            \xe2\x80\xa2      Expand date fields where necessary.\n                            \xe2\x80\xa2      Identify all common date manipulation routines and modify them\n                                   to correctly process dates of any format.\n                            \xe2\x80\xa2      Ensure all programming code that manipulates dates correctly\n                                   utilizes the common date macros.\n                            \xe2\x80\xa2      Locate and correct date routines.\n                            \xe2\x80\xa2      Add the century to date fields on all Electronic Financial Aid\n                                   Network layouts.\n                            \xe2\x80\xa2      Review and expand, where necessary, all date fields in working\n                                   storage or on internal layouts.\n                            \xe2\x80\xa2      Fully test the system for current and future dates.\n\n                            To ensure full compliance prior to the production date of March 29,\n                            1999, all work related to Year 2000 compliance was completed, tested,\n                            and turned over to the Corporation for user acceptance testing.\n\nDMCS                        The Corporation contracted with GuaranTec to bring its current DMCS\n\n                                             Page 5\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n                            into full Year 2000 compliance. The current DMCS required minimal\n                            changes to become compliant. GuaranTec is in the process of\n                            developing a new DMCS, which will be implemented in January or\n                            February 2000.\n\n                            Most of the current DMCS was already Year 2000 compliant because\n                            the database and most input screens already used four-digit years. The\n                            Corporation employed a windowing algorithm in the conversion program\n                            to make the system compliant. That is, if the year is greater than '10',\n                            the century will be '19', or else it will be '20'. GuaranTec conducted\n                            unit, aging, regression, and volume testing on each module changed to\n                            determine if it is calculating dates properly and functioning similar to the\n                            original module.\n\nPersonal Computers          The Corporation contracted with Digital Equipment Corporation for an\n                            inventory of all PC hardware and software to verify Year 2000\n                            compliance. The Corporation obtained Year 2000 compliance vendor\n                            certifications for software and any non-compliant software will be\n                            upgraded. The Corporation found a minimal amount of hardware with\n                            internal operating system type problems that were not Year 2000\n                            compliant and it will retire most of that hardware by the end of the year.\n\nEmbedded Chip               The Corporation staff, in conjunction with the Office for Technology and\n                            New York State\xe2\x80\x99s Office of General Services, addressed embedded\n                            chip issues that could affect the Corporation\xe2\x80\x99s operations. Embedded\n                            chips are used to control elevators, environmental systems, navigational\n                            devices, household appliances, safes, and vaults. The Corporation\n                            inventoried its embedded chips and renovated any found noncompliant.\n                            As part of the embedded chip project, the Corporation obtained\n                            certifications from its service providers.\n\nData Exchange               The Corporation addressed its obligation to assure that its compliant\n                            systems do not become corrupt by data exchanges with noncompliant\n                            systems, (e.g., schools, lenders, vendors, and Federal government\n                            systems). This was a high priority security issue that the Corporation\n                            addressed through firewalls or filters, which simply reject any\n                            noncompliant data. The Corporation has approximately 500 data\n                            exchange partners. Most of the data exchange partners have already\n                            switched to a four-digit year format. As of March 29, 1999, 14 schools\n                            and 5 lenders (out of a population of 300 schools and 80 lenders) were\n                            still using the two-digit year format. Bridging tools are used to handle\n                            data exchange with partners still using the two-digit format. The\n\n\n                                              Page 6\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n                            Corporation has tested with Sallie Mae, Citibank and Marine Midland,\n                            which account for 80 percent of its business.\n\n\n                            Evaluation of Testing\nTest Plans Complied          Vendors provided test plans to the Corporation that complied with the\nwith Federal                 Federal Financial Institutions Examination Council guidelines for\nFinancial Institutions       validation testing. According to a Corporation official, the New York\nExamination Council          State Banking Department audited the plans and found them\nGuidelines                   satisfactory. The official also informed us that the Corporation required\n                             user sign-off for all programs prior to moving them into production and\n                             it encountered no major problems after the move.\n\nTesting of Loans             The Corporation contracted with ObjectWare to test its Loan System.\nSystem                       ObjectWare performed unit testing, regression testing, system testing,\n                             volume testing, and the Corporation performed user acceptance testing.\n                             The regression testing included 1999 and 2000 dates. The user\n                             acceptance testing included formal sign-off by the Corporation.\n                             ObjectWare provided the Corporation with detailed test scripts and\n                             results documentation for each program. The Corporation also did its\n                             own testing of the Loan System that included testing interfaces between\n                             subsystems.\n\nTesting of DMCS              The Corporation contracted with GuaranTec, which in turn\nSystem                       subcontracted with Affiliated Computer Services, Inc., to test its\n                             DMCS system. Affiliated Computer Services, Inc., provided a formal\n                             test plan and testing methodology to the Corporation. The test plan\n                             was designed to test all of the DMCS programs that were modified for\n                             Year 2000 as well as all of the date modules modified. The test plan\n                             also provided information regarding unit testing, regression testing, and\n                             system testing for user acceptance. Testing included target dates in\n                             1999 and 2000 and included interfaces with other systems. GuaranTec\n                             provided the Corporation with assurances that it successfully tested the\n                             DMCS. However, GuaranTec did not provide the detailed testing\n                             results.\n\nTesting of PATH and          The Corporation performed coding and unit testing of its PATH\nG&S Systems                  system, even though that system was determined not to be mission\n                             critical. We did not review testing of the G&S system because that\n                             system does not involve Federal funds.\n\n\n\n\n                                             Page 7\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\nIndependent                  The Corporation has not completed independent verification and\nVerification and             validation testing. However, a Corporation official informed us that the\nValidation Not               Corporation sent out a Request for Proposal for the work and received\nCompleted                    23 responses. The Corporation official indicated that it was evaluating\n                             the responses and that the independent verification and validation\n                             testing is planned. The lack of independent testing is mitigated because\n                             the Corporation had independent contractors perform the modifications\n                             to the Loan System and DMCS while the Corporation assigned the\n                             Data Processing staff to oversee and monitor the project. In addition,\n                             the Corporation staff performed user acceptance testing.\n\n\n                   Evaluation of Contingency Planning\nAdequate Planning            Year 2000 contingency planning addresses the steps needed to ensure\nMethodology                  the continuity of an agency\xe2\x80\x99s core business processes in the event of a\nDeveloped                    Year 2000-induced system failure. The Corporation initiated its Year\n                             2000 planning efforts in July 1997 in response to a directive from\n                             Governor George Pataki. The Corporation used guidelines provided\n                             by ED, the New York State Banking Department, and the Office for\n                             Technology to prepare a comprehensive overall planning document that\n                             would comply with all requirements for all three organizations.\n\nProvisions for Data          We evaluated the Corporation\xe2\x80\x99s contingency plan as it existed during\nBackup but not for           our site visit. A Corporation official informed us that the Corporation\nComputer Processing          completed the plan by June 30, 1999, as intended. During our\nCapability                   evaluation we were told the contingency plan did provide for adequate\n                             backup of data, but did not provide for an alternate source of computer\n                             processing capability to run the data. The Corporation\xe2\x80\x99s only\n                             equipment capable of running its large programs, such as the Loan\n                             System or DMCS, is the IBM mainframe computer it installed in\n                             approximately August 1998 at its Jordan Road facility. According to\n                             the Corporation official, the mainframe has been updated with a new\n                             Complementary Metal Oxide Substrate unit that is Year 2000\n                             compliant.\n\n                             We found the Corporation has sufficient procedures in place to backup\n                             data. The Corporation has two Redundant Array of Independent\n                             Disks (RAID) boxes used for backup storage. The RAID boxes work\n                             in near real-time and together with the mainframe computer serve to\n                             form a communications triangle. One RAID box is located at the\n                             Jordan Road facility and the other at the Corporation\xe2\x80\x99s Menands\n                             location. Corporation officials informed us that the State of New York\n\n\n                                             Page 8\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n                             is in the process of consolidating its data centers and until it finalizes the\n                             consolidation plans the issue of an alternative source of computer\n                             processing will remain on hold. Corporation officials agree that they\n                             need alternate computer processing capability and are awaiting a\n                             decision from the State regarding data consolidation.\n\n\n                                    Risk Analysis\nRisk Analysis Defined        A risk analysis assesses and quantifies uncertainties. With regard to the\n                             Year 2000, these inherent uncertainties or risks are date-related events\n                             (or non-events) that would have a negative effect on or endanger a core\n                             business function or critical system of the organization. The\n                             Corporation\xe2\x80\x99s core business function is the FFEL Program.\n\nDevelopment of High          Booz\xe2\x80\xa2Allen & Hamilton, GLOS\xe2\x80\x99s technical support contractor,\nImpact Risk List             developed a list of high impact risks based on areas identified by (1)\n                             individual and overall risk assessments (via telephone interviews), (2)\n                             GLOS management, and (3) industry best practices. Booz\xe2\x80\xa2Allen &\n                             Hamilton organized the resulting list into risk categories and\n                             subcategories. We added one subcategory to include service provider\n                             certifications. All items listed were identified as high impact risks to\n                             both the Corporation and GLOS. We scored each risk category and\n                             subcategory using the following scoring system. The scoring ranged\n                             from minus (-) to plus (+) (see legend in following table). A minus\n                             indicates the Corporation has not taken steps to mitigate the associated\n                             risk. A plus indicates the Corporation appears to be successfully\n                             mitigating Year 2000 risks. To receive a plus score, the Corporation\n                             had to demonstrate actions taken to eliminate or reduce the effect or\n                             likelihood of a risk/threat before the time horizon to failure for that\n                             subcategory.\n\n\n\n\n                                               Page 9\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n                                HIGH RISK CATEGORIES AND                                      RISK\n                                     SUBCATEGORIES                                          MITIGATED\n\n     MANAGEMENT\n     Organization/Project Office. Upper management support. Unified message.                    +\n     Audit/Quality Assurance of Year 2000 effort in place.                                      +\n     Project plan and schedule in place, in use and running as planned. (Sufficient             +\n     progress by phase. Little or no slippage. Able to meet March 31, 1999 deadline.)\n     TECHNICAL\n     Inventory (hardware, software, interfaces, and embedded technology) completed.             +\n     Appropriate designation of mission critical systems. FFEL Program systems                  +\n     designated as mission critical.\n     Renovation approach. Standard methodology - used normal system development life            0\n     cycle in approaching Year 2000 project. Renovation decisions based on analysis,\n     such as impact studies.\n     Testing approach. Evaluation of methods, plans, and results. All levels of testing         0\n     addressed: unit, integration, systems, acceptance, and interfaces (true tests versus\n     mimic tests). Used adequate testing procedures (regression, performance, stress, and\n     forward and backward time). Tested critical Year 2000 dates.\n     Data exchange issues resolved.                                                             +\n     Formal process of certification of system compliance in place.                             +\n     Formal process for obtaining Year 2000 certifications from key service providers.          +\n     Contingency planning (Plans are a priority and are in place).                              0\n     *Scoring Legend\n             -         No risk mitigation activity has occurred.\n             -/0       Efforts have been initialized in order to mitigate risks.\n             0         Appears to be moderately mitigating risks.\n             0/+       Appears to be satisfactorily mitigating risks.\n             +         Appears to be successfully mitigating risks.\n\n\nAreas of Risk                      The following risks were identified by category and evaluated as to the\n                                   probability and acceptability of occurrence:\n\n                                   \xe2\x80\xa2         Renovation approach: The Corporation determined that its\n                                             current DMCS is Year 2000 compliant. However, the\n                                             Corporation used the year '10' for windowing which could\n                                             cause minor errors with the current DMCS in early 2000 if it\n                                             projects a date 10 years into the future. Corporation officials\n                                             agreed to look into the windowing issue and that it is a potential\n                                             problem should the new DMCS system encounter serious\n                                             delays. It is expected that this new system will be implemented\n                                             in January or February 2000. We informed the Corporation\n                                             officials that if the new system is not ready, they should\n                                             determine a \xe2\x80\x9cfailure date,\xe2\x80\x9d which is a date when the windowing\n                                             will no longer function as intended.\n\n                                                      Page 10\n\x0cED-OIG Management Information Report CN ED-OIG/A05-90044\nReview of New York State Higher Education Services Corporation's Year 2000 Readiness\n\n\n                             \xe2\x80\xa2       Testing approach: The Corporation has not completed\n                                     independent verification and validation testing. However, the\n                                     Corporation has sent out a Request for Proposal and received\n                                     23 responses. A Corporation official indicated that it was\n                                     evaluating the responses and that the independent verification\n                                     and validation testing is planned. The lack of independent\n                                     testing is mitigated in that the Corporation had independent\n                                     contractors perform modifications to the Loan System and\n                                     DMCS while the Corporation assigned Data Processing staff to\n                                     oversee and monitor the project. In addition, the Corporation\n                                     staff performed user acceptance testing.\n\n                             \xe2\x80\xa2       Contingency Planning: We believe that the Corporation\xe2\x80\x99s Year\n                                     2000 contingency plan methodology is adequate and it is\n                                     making satisfactory progress. However, the Corporation has\n                                     not fully developed a contingency plan that covers all Year\n                                     2000 issues. While the Corporation has completed most of the\n                                     contingency plan, it has not established a plan for a backup\n                                     computer to run its systems should the current mainframe fail.\n                                     A Corporation official informed us that the State of New York\n                                     has control over the system and is in the process of\n                                     consolidating its data centers. Until the State makes decisions\n                                     regarding the consolidation, the Corporation cannot move\n                                     forward and finalize its contingency plans.\n\n\n                 Conclusion and Recommendation\nGLOS Should Monitor          Our evaluation of the Corporation\xe2\x80\x99s Year 2000 readiness indicates that\nthe Corporation\xe2\x80\x99s            the entity is making satisfactory progress and has completed all phases\nProgress                     of its Year 2000 efforts with the exception of the issues identified\n                             below. We believe that the Corporation\xe2\x80\x99s Year 2000 efforts are\n                             satisfactory because the entity exhibits acceptable performance in all\n                             key phases of the Year 2000 project management process. Although\n                             the Corporation\xe2\x80\x99s performance as a whole is satisfactory, GLOS\n                             should monitor the Corporation to ensure that it: (1) addresses a\n                             potential problem associated with its use of the year '10' for windowing\n                             in the DMCS, (2) completes independent verification and validation\n                             testing, and (3) addresses backup computing capability in its\n                             contingency plan.\n\n\n\n\n                                            Page 11\n\x0c                                                                                         APPENDIX\n\n\nBackground\n\nED is in the process of ensuring that all of its computer systems and the interfaces between them and\nthe systems of its trading partners are Year 2000 compliant. Year 2000 compliance (or readiness)\nrefers to the capability of a product to correctly process, provide, and/or receive data containing dates\nfrom, into, and between the 20th and 21st centuries. A system\xe2\x80\x99s ability to accurately process date and\ntime data is crucial to continuing a business\xe2\x80\x99 normal operations beyond the turn of the century. Failure\nto address this issue could result in erroneous system execution or system failure.\n\nED issued Dear Colleague Letter 98-G-306 to guaranty agencies to reinforce the seriousness of Year\n2000 compliance. It advised guaranty agencies of the potential impact of the Year 2000 problem and\nthe importance of an aggressive approach to ensure that the FFEL Program will continue unimpaired.\nThe letter further emphasized meeting the critical milestone dates for each of the five phases set by the\nOffice of Management and Budget and the General Accounting Office. The designated phases for a\nYear 2000 readiness plan are awareness, assessment, renovation, validation, and implementation (with\nongoing contingency planning throughout the entire project).\n\nIn July 1998, ED retained Booz\xe2\x80\xa2Allen & Hamilton to assess the Year 2000 readiness of the guaranty\nagencies. In September 1998, Booz\xe2\x80\xa2Allen & Hamilton conducted telephone interviews with all 36\nguaranty agencies. The results of those interviews, as well as a determination of the ability of guaranty\nagencies to mitigate their Year 2000 risks, were presented to ED. As part of ED\xe2\x80\x99s ongoing efforts to\nassure the Year 2000 compliance of guaranty agencies in the FFEL Program, Booz\xe2\x80\xa2Allen & Hamilton\nsubsequently conducted on-site Year 2000 reviews of a number of guaranty agencies selected by\nGLOS.\n\nGLOS contracted with Booz\xe2\x80\xa2Allen & Hamilton to conduct a second round of the Year 2000 readiness\nassessments at select guaranty agencies. The Office of Inspector General supplemented GLOS\xe2\x80\x99\nactivities to ensure Year 2000 compliance by evaluating the Corporation\xe2\x80\x99s Year 2000 readiness.\n\nObjectives, Scope, and Methodology\n\nWe performed our evaluation according to methodology established by the Booz\xe2\x80\xa2Allen & Hamilton\nReviewer\xe2\x80\x99s Guide Guaranty Agency Ongoing Year 2000 On-site Readiness Review (6/99). Our\nobjectives were to assess whether the Corporation: (1) developed adequate management plans to\nachieve Year 2000 compliance for its own computer systems and those of its information or data\ninterface partners, and (2) is monitoring the implementation and achievement of critical milestones for\neach phase of the plan. Given the objectives of our review, the team only evaluated the Corporation\xe2\x80\x99s\nYear 2000 management plan and any documentation supporting the Corporation\xe2\x80\x99s Year 2000 efforts.\nWe performed all work in accordance with ED-OIG Policies and Procedures Manual Chapter 2310:\nAlternative Services and Products. Therefore, we did not: (1) have a survey phase, (2) perform an\ninternal controls review, or (3) assess the reliability of any computer processed data.\n\n\n\n                                                 Page 1\n\x0c                                                                                     APPENDIX\n\n\nWe conducted our on-site field work at the Corporation in Albany, New York from June 15 - 22,\n1999. On August 10, 1999, we updated certain information. We examined documentation supporting\nthe Corporation\xe2\x80\x99s progress for each phase of the Year 2000 project and interviewed Corporation\npersonnel. We did not attempt to complete work that would provide assurance that the Corporation\xe2\x80\x99s\nYear 2000 compliance plan will work, only that it was meeting or exceeding milestones.\n\nThis Management Information Report is intended to provide information for decision makers and is not\nan audit or investigative report. We conducted our review according to government auditing standards\napplicable to the limited scope review described.\n\n\n\n\n                                               Page 2\n\x0c                       REPORT DISTRIBUTION LIST\n                    CONTROL NUMBER ED-OIG/A05-90044\n\nAction Official                                                         No. of Copies\nMr. Greg Woods                                                               Original\nChief Operating Officer\nOffice of Student Financial Assistance\nU. S. Department of Education\n\nOther ED Officials\nYear 2000 Project Director\nOffice of the Chief Information Officer                                         1\n\nBarry Morrow, General Manager, Financial Partners, Office of Student            1\nFinancial Assistance\n\nDirector, Office of Public Affairs                                              1\n\nLinda Paulsen, Acting CFO, Office of Student Financial Assistance        Electronic copy\n\nSecretary\xe2\x80\x99s Regional Representative - Region II, New York                       1\n\nED-OIG Officials\nInspector General                                                        Electronic Copy\n\nDeputy Inspector General                                                 Electronic Copy\n\nAssistant Inspector General for Audit                                    Electronic Copy\n\nAssistant Inspector General for Investigations                           Electronic Copy\n\nAssistant Inspectors General for Operations                            Electronic Copies (2)\n\nCounsel to the Inspector General                                         Electronic Copy\nPlanning, Analysis, and Management Services                              Electronic Copy\n\nAudit Services                                                                  1\n\nRegional Inspector General for Investigations - Boston                          1\n\nArea Audit Managers\n      Atlanta, Dallas, Kansas City, New York, Philadelphia,            Electronic Copies (7)\n      Sacramento, and Washington\n\nRegion V Audit Office                                                           2\n\x0c"